wannacry | 4d0196b2f88499de79d6bd780669038b088ee5dd9669309456f1f5a5878ae2ea

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

716d0a6be236c224490d4fa616aa3fe9_JaffaCakes118.dll
Size

5.0MB
MD5

716d0a6be236c224490d4fa616aa3fe9
SHA1

eb534cd61e9ebff420a90dddc335a61def4aa6d3
SHA256

4d0196b2f88499de79d6bd780669038b088ee5dd9669309456f1f5a5878ae2ea
SHA512

9228c742d8fd84cf3b1d138a5fdc73eae8be065bf53500f50746a7914b002f55db3d64484bbf888bb55cb197b7dc64e55c322c1e6053fa47bbf8a9600ac64913
SSDEEP

49152:znAQqMSPbcBVQM1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:TDqPoBr1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3216 mssecsvc.exe
3440 mssecsvc.exe
2516 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3216	mssecsvc.exe
3440	mssecsvc.exe
2516	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1552 wrote to memory of 396	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 396	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 396	1552	rundll32.exe	rundll32.exe
PID 396 wrote to memory of 3216	396	rundll32.exe	mssecsvc.exe
PID 396 wrote to memory of 3216	396	rundll32.exe	mssecsvc.exe
PID 396 wrote to memory of 3216	396	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\716d0a6be236c224490d4fa616aa3fe9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\716d0a6be236c224490d4fa616aa3fe9_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:396

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3216

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2516

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
207ebe9e0beee12107ca7cea1ffc48b2

SHA1
47d557e29969f0461ce00269264a15c0f92e58e8

SHA256
a0f0a4886696aa5e74f4f0d36dcdf786b15bf0a697ecd0db57fa0eca37ef0a23

SHA512
fa866f62e82037abb00bff5c4e063758780c050ef0f5df51b1d8ce945a91728aaf68c848a9b7f5351430e8879602dd09fc037d0d7f63b8f88bfb0e85b37d03b9

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
909cda282d1821fa501a421cab121c7f

SHA1
7fec6f0eec3f439c09e9311a695cab537014291f

SHA256
f3418976e547a9455ea56dfe35ba0bc3aad9811830e2d0b1693241043d0695f1

SHA512
b66b77afaa0f9906d0d40e28d2f6d07c8c9d7083626a7a1aafd31c428cb17a7dfee7b5f6a6aa02dcf7c4cfdb8612739273f83a14a27d27b9f525b63e46899cf2

Download Submit